Java Deserialization Vulnerability

This security advisory has been published in response to recent publications regarding a Java Deserialization Vulnerability.

Detailed Description

Following a review of the article noted in the External Links section, Mitel has identified the vulnerability is associated with the Apache's common-collection library, specifically the InvokerTransformer functions. As such, the vulnerability is not specific to Java serialization, but with the common-collection library having a vulnerable mechanism that could allow for arbitrary code to be run.

The Apache Commons Collection is used by components and frameworks such as WebLogic, WebSphere, JBoss, Jenkins and OpenNMS. In cases where the vulnerable version of Apache Commons Collection is in use, these components are also potentially vulnerable.

Affected Products

Only products using Java, and those using the vulnerable InvokerTransformer functions, are potentially vulnerable. The following product have been identified as affected: (updated 2016-05-03)